From cc133e5f57dcc9bc8eced331ffd789934cb5e788 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Dec 2023 20:00:40 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/bwrap-app | 2 +- apparmor.d/groups/_full/bwrap | 8 ++++++-- apparmor.d/groups/children/child-open | 1 + apparmor.d/groups/freedesktop/plymouthd | 2 +- .../freedesktop/update-desktop-database | 8 ++++---- .../groups/gnome/evolution-alarm-notify | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 18 ++++------------- .../gnome/gnome-calculator-search-provider | 12 +++-------- apparmor.d/groups/gnome/gnome-characters | 5 +---- apparmor.d/groups/gnome/gnome-contacts | 3 +-- apparmor.d/groups/gnome/gnome-control-center | 20 ++----------------- .../gnome/gnome-control-center-goa-helper | 2 +- .../gnome-control-center-search-provider | 9 +-------- apparmor.d/groups/gnome/gnome-session-binary | 8 +------- apparmor.d/groups/gnome/gnome-software | 6 +----- apparmor.d/groups/gnome/gnome-terminal-server | 14 +++++-------- apparmor.d/groups/gnome/gsd-power | 9 +-------- apparmor.d/groups/network/NetworkManager | 1 + .../groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/profiles-a-f/arduino | 4 ++-- apparmor.d/profiles-a-f/cups-backend-serial | 2 ++ apparmor.d/profiles-a-f/cups-backend-snmp | 1 + apparmor.d/profiles-a-f/cupsd | 2 +- apparmor.d/profiles-a-f/fritzing | 4 ++-- apparmor.d/profiles-g-l/hwinfo | 8 +++----- apparmor.d/profiles-s-z/snap | 2 +- 26 files changed, 49 insertions(+), 106 deletions(-) diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app index f2ceabe9..ad24eac1 100644 --- a/apparmor.d/abstractions/bwrap-app +++ b/apparmor.d/abstractions/bwrap-app @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Common rules for applications sandboxed using bwrap. diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index 0efe0a6b..6744857c 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -29,8 +29,12 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { network inet6 stream, network netlink raw, - mount, - umount, + mount options=(rw, silent, rslave) -> /, + mount fstype=tmpfs -> /tmp/, + mount -> /newroot/{,**}, + mount -> /oldroot/, + mount -> /tmp/newroot/, + umount /{,oldroot/}, pivot_root oldroot=/newroot/ -> /newroot/, pivot_root oldroot=/tmp/oldroot/ -> /tmp/, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index a8713e80..35f18157 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -96,6 +96,7 @@ profile child-open { @{bin}/vlc rPUx, @{bin}/xarchiver rPx, @{bin}/xbrlapi rPx, + @{bin}/yelp rPUx, @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx, include if exists diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index ea4ea636..5ba3e5e3 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -61,7 +61,7 @@ profile plymouthd @{exec_path} { /dev/ptmx rw, /dev/tty@{int} rw, - /dev/ttyS[0-9]* rw, + /dev/ttyS@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 096c44a6..e48c1e70 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -17,10 +17,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/applications/{,**/} r, - /usr/share/applications/**.desktop r, - /usr/share/applications/.mimeinfo.cache.* rw, - /usr/share/applications/mimeinfo.cache w, + /usr/share/{,ubuntu/}applications/{,**/} r, + /usr/share/{,ubuntu/}applications/**.desktop r, + /usr/share/{,ubuntu/}applications/.mimeinfo.cache.* rw, + /usr/share/{,ubuntu/}applications/mimeinfo.cache w, /usr/share/*/*.desktop r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index c0f61924..a88dd5ac 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -14,7 +14,7 @@ profile evolution-alarm-notify @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index e8831dd2..3a42071d 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -14,32 +14,22 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @{exec_path} mr, - @{lib}/gio-launch-desktop rix, + owner @{HOME}/{,**} rw, + owner /tmp/wl-copy-buffer-*/{,**} rw, - # System files - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + @{run}/mount/utab r, - # User files owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - # file_inherit - owner @{HOME}/.xsession-errors w, - - # Required by many gio command - owner @{HOME}/{,**} rw, - owner /tmp/wl-copy-buffer-*/{,**} rw, - /dev/dri/card@{int} rw, - @{run}/mount/utab r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 61353bca..762e12aa 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -13,11 +13,9 @@ profile gnome-calculator-search-provider @{exec_path} { include include include - include - include + include include include - include signal (send) set=kill peer=unconfined, @@ -27,15 +25,11 @@ profile gnome-calculator-search-provider @{exec_path} { peer=(name=:*, label=gnome-shell), @{exec_path} mrix, - /{usr/,}bin/[a-z0-9]* rPUx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/x11/xkb/{,**} r, - /usr/share/icons/{,**} r, + @{bin}/* rPUx, + /usr/share/nvidia/nvidia-application-profiles-*-rc r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 3231ce4b..38f4ae94 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -16,7 +16,7 @@ profile gnome-characters @{exec_path} { include include include - include + include include include include @@ -30,12 +30,9 @@ profile gnome-characters @{exec_path} { @{bin}/gjs-console rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/libdrm/*.ids r, /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, - /usr/share/themes/{,**} r, - /usr/share/X11/xkb/{,**} r, /usr/share/nvidia/nvidia-application-profiles-*-rc r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index 569405ad..c4758b1e 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -12,7 +12,7 @@ profile gnome-contacts @{exec_path} { include include include - include + include include include include @@ -25,7 +25,6 @@ profile gnome-contacts @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index d261f454..00dd628b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -17,14 +17,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include include - include include - include include network inet dgram, @@ -56,11 +54,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/pkexec rPx, @{bin}/software-properties-gtk rPx, @{bin}/usermod rPx, - @{lib}/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, - @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, @@ -78,16 +75,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome/gnome-version.xml r, /usr/share/libdrm/*.ids r, /usr/share/language-tools/main-countries r, - /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, - - # freedesktop.org-strict - /usr/share/*ubuntu/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/cups/client.conf r, /etc/machine-info r, @@ -100,8 +92,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/snapd/desktop/icons/ r, - /var/cache/cracklib/cracklib_dict.* r, /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, @@ -120,18 +110,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/sounds/__custom/{,*} rw, - owner @{user_share_dirs}/webkitgtk/{,**} r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, - owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, owner @{user_share_dirs}/gnome-remote-desktop/ w, owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, - owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, - owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, - owner @{run}/user/@{uid}/webkitgtk/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/wayland-@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 83866fef..0597f09c 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -37,7 +37,7 @@ profile gnome-control-center-goa-helper @{exec_path} { @{bin}/bwrap rPUx, - @{lib}/webkit2gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index b13ca380..5efe6b33 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -13,9 +13,7 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include - include - include + include include include @@ -26,13 +24,8 @@ profile gnome-control-center-search-provider @{exec_path} { @{exec_path} mr, - /usr/share/X11/xkb/{,**} r, /usr/share/nvidia/nvidia-application-profiles-*-rc r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8b6054a7..2f527e2b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -20,13 +20,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include - include - include network inet stream, network inet6 stream, @@ -158,10 +155,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, /usr/share/gnome/autostart/{,*.desktop} r, - /usr/share/X11/xkb/{,**} r, /usr/share/session-migration/scripts/{,*} r, - /etc/gnome/defaults.list r, @{etc_ro}/xdg/autostart/{,*.desktop} r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, @@ -172,7 +167,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/session_migration-* r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, /var/lib/flatpak/exports/share/applications/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 522bf36c..bc31827a 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -12,9 +12,7 @@ profile gnome-software @{exec_path} { include include include - include - include - include + include include include include @@ -48,7 +46,6 @@ profile gnome-software @{exec_path} { /usr/share/appdata/{,**} r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, - /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/appstream.conf r, @@ -61,7 +58,6 @@ profile gnome-software @{exec_path} { /var/cache/app-info/icons/**.png r, /var/cache/app-info/xmls/{,**} r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, /var/lib/apt/lists/*.yml.gz r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 6b5595b6..4edf1edc 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -16,13 +16,12 @@ profile gnome-terminal-server @{exec_path} { include include include - include - include - include - include - include + include + signal (send) set=(hup) peer=htop, signal (send) set=(term hup kill) peer=unconfined, + + ptrace (read) peer=htop, ptrace (read) peer=unconfined, dbus bind bus=session name=org.gnome.Terminal, @@ -64,10 +63,7 @@ profile gnome-terminal-server @{exec_path} { @{lib}/gio-launch-desktop rPx -> child-open, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/X11/xkb/{,**} r, - - /var/lib/flatpak/exports/share/icons/{,**} r, - /var/lib/snapd/desktop/icons/{,**} r, + /usr/share/sounds/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 70959f73..55760b43 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -24,10 +24,8 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include - include network netlink raw, @@ -97,9 +95,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.config/pulse/ rw, /var/lib/gdm{3,}/.config/pulse/cookie rwk, @@ -108,8 +103,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - @{run}/udev/data/+backlight:* r, @{run}/udev/data/+drm:card* r, @{run}/udev/data/+leds:* r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 40d7cde2..2c7e92bb 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -95,6 +95,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + /usr/share/netplan/netplan.script rPx, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, / r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 12f5f32d..aa8c9fc8 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -93,7 +93,7 @@ profile subiquity-console-conf @{exec_path} { /dev/tty rw, /dev/tty@{int} rw, - /dev/ttyS[0-9]* rw, + /dev/ttyS@{int} rw, profile journalctl { include diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index a4a14920..a09714b1 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -102,8 +102,8 @@ profile arduino @{exec_path} { @{sys}/class/tty/ r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r, - /dev/ttyS[0-9]* rw, - /dev/ttyACM[0-9]* rw, + /dev/ttyS@{int} rw, + /dev/ttyACM@{int} rw, # Silencer deny /usr/share/arduino/** w, diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial index f5084e08..4c02298e 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -14,5 +14,7 @@ profile cups-backend-serial @{exec_path} { /etc/papersize r, + /dev/ttyS@{int} w, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp index 510c9fe8..39dd7b09 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/snmp profile cups-backend-snmp @{exec_path} { include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 2fb50e29..ebd286b6 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -66,7 +66,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{lib}/cups/driver/* rix, @{lib}/cups/filter/* rix, @{lib}/cups/monitor/* rix, - @{lib}/cups/notifier/* rix, + @{lib}/cups/notifier/* rPx, /usr/share/cups/{,**} r, /usr/share/ghostscript/{,**} r, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 49324b0c..b7811563 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -63,8 +63,8 @@ profile fritzing @{exec_path} { @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]* - /dev/ttyS[0-9]* rw, - /dev/ttyACM[0-9]* rw, + /dev/ttyS@{int} rw, + /dev/ttyACM@{int} rw, owner @{run}/lock/LCK..ttyACM[0-9]* rwk, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 1f75703b..0fc361b5 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -54,9 +54,8 @@ profile hwinfo @{exec_path} { /dev/nvram r, /dev/psaux r, /dev/console rw, - /dev/ttyS0 r, - /dev/ttyS1 r, - /dev/fb[0-9] r, + /dev/ttyS@{int} r, + /dev/fb@{int} r, @{sys}/bus/{,**/} r, @{sys}/class/*/ r, @@ -84,8 +83,7 @@ profile hwinfo @{exec_path} { @{PROC}/cmdline r, # file_inherit - /dev/ttyS0 r, - /dev/ttyS1 r, + /dev/ttyS@{int} r, owner /tmp/hwinfo*.txt rw, @{sys}/devices/pci[0-9]*/**/drm/card@{int}/ r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 70686cca..351d9bc8 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -86,7 +86,7 @@ profile snap @{exec_path} { @{PROC}/version r, /dev/tty@{int} rw, - /dev/ttyS[0-9]* rw, + /dev/ttyS@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r,